Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3F35C43381 for ; Fri, 8 Mar 2019 00:03:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 87EB72081B for ; Fri, 8 Mar 2019 00:03:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="NPxiPDi3" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726259AbfCHADY (ORCPT ); Thu, 7 Mar 2019 19:03:24 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:46545 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726234AbfCHADX (ORCPT ); Thu, 7 Mar 2019 19:03:23 -0500 Received: by mail-qt1-f193.google.com with SMTP id z25so19339856qti.13 for ; Thu, 07 Mar 2019 16:03:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=wMQE6YENFN3aj5oiI1bjsqrWhzqydPL47ix7MfHPddc=; b=NPxiPDi3dZyFveHVFUFZ5F4fooz9nOFx0+kDhRtbPkTMdsj6bTTRZwlQakF0HcgTjL RFNBa+K5jjpWDoF36lUbRzhOgLdgQuPHQdrSMRu5KYczixsLZ3Gv4vX++XN/XqnpnbIO Khnw3qHuX6eeaL2quWNROVnBSnoF+sq+pH0nk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wMQE6YENFN3aj5oiI1bjsqrWhzqydPL47ix7MfHPddc=; b=HCkaFbJjizgANTg3VuLQNiuivrptS22yb9lSBX4aA5IroVXpvDITwh4J+7AbY8Ls1N /upk15tyYhbo8nghufraRAhB21hb42j+LzPPxrA+kaekgoHLjrrMZE720fBiCU5A18L2 coTVq2DpufvZC2WMhe4sCIGKeWv6VjjqlbQ3K+yy1zoC/ubBgU66xVYDmejx6JgjHmBW 6gb4cv+n9yrFg7LC8hZOmFKlnlEiDbnnlsCeH3Hc+OJicRK7rqTeNDQEqbt4VhP8t0R9 K8fTphB/S0EiQ7fGNGkQiVMi28YVPV1AgE8hT8Rdjd46vN2TtG6YbRrB2P+EeVGNpdf5 Ex1g== X-Gm-Message-State: APjAAAWMDno1p/nZ7xzaHxLZ3Ewd6hjL/BZYA0PkU3TO+Uw0dJ6DMbpK iC8oN/5sdGcNIl4CN7S1qinwlxrLj4M= X-Google-Smtp-Source: APXvYqyShHZsS0MUeMQeE54av7Zo+/wlG7ywUmwN/sYV4kqweyRRlv3xe7fqWK8TMX8b/mT60E9cQw== X-Received: by 2002:a0c:ba1d:: with SMTP id w29mr13072261qvf.228.1552003401902; Thu, 07 Mar 2019 16:03:21 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id h10sm5662134qta.3.2019.03.07.16.03.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Mar 2019 16:03:21 -0800 (PST) Subject: Re: [PATCH] Update cron use to pam interface To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190305223316.19127-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: <59271941-6b83-027e-2c78-ad80bd84a8d9@ieee.org> Date: Thu, 7 Mar 2019 18:55:43 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190305223316.19127-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 3/5/19 5:33 PM, Sugar, David wrote: > I'm seeing a many denials for cron related to faillog_t, lastlog_t > and wtmp_t. These are all due to the fact cron is using pam (and my > system is configured with pam_faillog). I have updated cron to use > auth_use_pam interface to grant needed permissions. > > Additional change to allow systemd_logind dbus for cron. > > I have included many of the denials I'm seeing, but there are probably > others I didn't capture. > > type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 > type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins" > type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 > type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1 > type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 > type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) > type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' > type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' > type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' > type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' > type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > Signed-off-by: Dave Sugar > --- > policy/modules/services/cron.te | 4 ++-- > policy/modules/system/authlogin.if | 3 +-- > 2 files changed, 3 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te > index 3cb4cd65..4c2bccf4 100644 > --- a/policy/modules/services/cron.te > +++ b/policy/modules/services/cron.te > @@ -310,9 +310,8 @@ init_start_all_units(system_cronjob_t) > init_get_generic_units_status(system_cronjob_t) > init_get_system_status(system_cronjob_t) > > -auth_domtrans_chk_passwd(crond_t) > auth_manage_var_auth(crond_t) > -auth_use_nsswitch(crond_t) > +auth_use_pam(crond_t) > > logging_send_audit_msgs(crond_t) > logging_send_syslog_msg(crond_t) > @@ -434,6 +433,7 @@ optional_policy(` > ') > > optional_policy(` > + systemd_dbus_chat_logind(crond_t) > systemd_write_inherited_logind_sessions_pipes(crond_t) > ') > > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if > index 0153ab07..fe9ca3bb 100644 > --- a/policy/modules/system/authlogin.if > +++ b/policy/modules/system/authlogin.if > @@ -51,10 +51,9 @@ interface(`auth_use_pam',` > auth_domtrans_chk_passwd($1) > auth_domtrans_upd_passwd($1) > auth_dontaudit_read_shadow($1) > - auth_read_login_records($1) > - auth_append_login_records($1) > auth_rw_lastlog($1) > auth_rw_faillog($1) > + auth_rw_login_records($1) > auth_setattr_faillog_files($1) > auth_exec_pam($1) > auth_use_nsswitch($1) Merged. -- Chris PeBenito